4.2 - Group Policy

Group Policy

A Group Policy Object (GPO) is a set of configurations that control the behavior of computers and users in an Active Directory environment. GPOs allow administrators to enforce security policies, software installations, and other system settings across the domain.

Key Components of GPOs

Computer Configuration – Policies applied to computers regardless of which user logs in.
User Configuration – Policies applied to users regardless of which computer they use.

A GPO is a virtual collection of policy settings, security permissions applicable to users and computers and they can be linked to domains, sites and OUs.

Low security level (overly permissive) and misconfiguration regarding GPO (especially into OUs context) are a good attack vector.

Enumerate GPO using PowerView

Get list of GPO in current domain

Get-DomainGPO
Get-DomainGPO | select displayname
Get-DomainGPO -ComputerIdentity dcorp-student1

Get GPOs which use Restricted Groups or groups.xml for interesting users
```
Get-DomainGPOLocalGroup
```

Get users which are in a local group of a machine using GPO

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1

Get machines where the given user is member of a specific group
```
Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose
```

Get OUs in a domain

Get-DomainOU
Get-ADOrganizationalUnit -Filter * -Properties *

Get GPO applied on an OU, read GPOname from gplink attribute from Get-NetOU

Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE...........}"

Another good way is using BloodHound.

Previous4.1 - Access Control (ACL/ACE)Next4.3 - Trusts

Last updated 1 month ago